Friday, 25 November 2011

Wiil the real Morris Hickey please stand up?

It has been stated elsewhere on this blog that Morris's e-mail account has clearly been hacked.

However, I don't think that is really the case. There is no doubt that his Contacts file has come into the hands of miscreants but that is not the same thing.

The important thing here is that the e-mail referred to did NOT come from Morris Hickey's e-mail account! It came from an entirely different account which had been deliberately set-up with Morris's name and e-mail address as the sender.

If you still have both the spam mail and a real 'MorrisMail™', you can check this for yourself.

Looking at the spam first, select 'View Source' or 'View Headers' (it will vary depending on which mail client you use on your PC). In the page that follows you will see a lot of information, including several lines which start 'Received: ' - the important one is the very last 'received' entry, which is just above the normal Date/From/Subject/To entries that you normally see, like this:

Received: from [85.237.212.114] by web87312.mail.ird.yahoo.com via HTTP; Fri, 18 Nov 2011 11:58:59 GMT
X-Mailer: YahooMailWebService/0.8.115.325013
Message-ID: <1321_____________________lNeo@web87312.mail.ird.yahoo.com>
Date: Fri, 18 Nov 2011 11:58:59 +0000 (GMT)
From: MORRIS HICKEY
Reply-To: MORRIS HICKEY
Subject: Emergency
To: undisclosed recipients: ;


It is the IP address in this line - 85.237.212.114 - that identifies the source of the e-mail. If you do the same thing with a real 'MorrisMail™', you will come up with 86.181.186.65 or similar.

Using a Whois? web look-up service to identify these addresses gives BT Internet for the 'MorrisMail™' but the spam comes from here:

85.237.212.114

Areti Internet Ltd.
Seymour House
South Street
BROMLEY
Kent
BR1 1RH
United Kingdom
phone: +44 870 950 5950

Not BT, is it? In fact, Areti now trade as Alentus UK and the IP Address record uses a mixture of both names, including both abuse@alentus.co.uk and abuse@areti.net for complaints!


As for complaints, I used the excellent SpamCop.net service to report the spam when I first saw it.

The email address on a mail you receive does not have to agree with the service used to send it - in fact, I have several e-mail accounts set up on my PC (using Thunderbird) which uses one server as the default, irrespective of which account I select for identification/return mail.

Anybody who has mail from me sent using a tiscali.co.uk address can easily check this out as above!

I have to be careful if sending mail to large organisations such as Redbridge Council, for example, which bounces my mails because the mail server used does not agree with the return address! Unfortunately, I don't know of anything that can perform similar checks on a home PC.

Morris changed his mail password as soon as he found out about the spam but, as his account wasn't used for the spam attack, that will achieve nothing!

Morris is using a brand new computer, I believe, which begs the question of what happened to the old one? If he no longer has it, or it has recently passed through the hands of a third party, the source of the spam is clear: some lower life form simply copied his Contacts folder from the hard drive!

Hopefully, this attack was a one-off - I certainly haven't seen any more spam in the past week - but the concern now must be that the culprits will sell the address list on. In that case, a lot of us can expect to see masses of spam in the future - from a variety of senders ...

And from servers much further away than Bromley ...!

6 comments:

  1. One point you're missing here is that the original email came from Morris's bonafide email address and that the criminals in Spain were able to reply to emails sent to it, which Morris himself wasn't receiving. Neither of these would have been possible simply by copying from an old address book. Now if the old computer had the email password stored within it as an auto-login, that's another matter...

    ReplyDelete
  2. Morris told me that he changed his password as soon as he found out about it (shortly after it was sent). However, I've since been told that he couldn't access his mail - send or receive - afterwards. I wonder if he made a mistake and, unbeknown to him, his old password still works ...

    If indeed there has been further mail from the perpetrators, I would be very interested in seeing the message headers as the first mail came from a UK source, although the telephone is most definitely not in the UK ...

    Did anybody else report this spam? It occurs to me that, unlike spam originating in the far east, etc., that there was an opportunity here for the police to track down the UK end of the spam.

    ReplyDelete
  3. He's back .. with a new email address!
    But he's lost his address book!

    ReplyDelete
  4. Having often been critical of Redbridge-i Forum and its administrators (the main reason behind setting up this blog) I should like to declare publicly that Angela Bernard, the council's web manager, was very quick off the mark in contacting me by telephone and offering advice and help.

    Many thanks Angela - just keep sending the money!

    ReplyDelete
  5. Sending the money, to keep you in Madrid?
    In fact the redimanager needs you here, badly.
    The new format and you being kidnapped created a completely deserted red-i website!

    ReplyDelete
  6. ..and now it's ex cllr Linda Eyre.
    This one came from Nigeria though ...

    ReplyDelete